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mance  resulting  from  malfunctions  and  failures  of  the  system  components.  Complete 
Information  Is  given  for  setting  up  the  Input  data,  obtaining  a run  and  Interpreting 
the  results.  Figures  defining  the  punch  card  formats  for  Input  data  are  provided 
that  can  be  used  as  data  sheets.  Examples  Illustrating  the  use  of  the  program 
are  also  Included.  The  DEPEND  program  Is  written  In  FORTRAN  IV  language  for  the  CDC 
Cylber  70,  6000  Series  and  7000  Series  computer  systems. 


PREFACE 


This  is  the  Final  Report  on  studies  related  to  Ka-Band  System 
Reliability  Improvement  under  Air  Force  Contract  No.  F33615-75-C-1208.  The 
report  is  organized  in  three  parts.  Part  I,  Volume  I,  depicts  the  system  model  as 
organized  in  its  functional  relationship  form;  describes  the  overall  program; 
presents  the  probabilistic  estimates  of  reliability,  maintainability,  availability, 
dependability,  etc.  of  the  Ka-Band  SATCOM  Set  based  on  all  the  data  available; 
identifies  the  components  most  likely  to  malfunction  or  fail;  and  presents 
guidelines  for  the  specification  of  reliability  and  maintainability  requirements  for 
the  next  generation  system.  Part  I,  Volume  H,  contains  Appendix  B which  presents 
detailed  results  of  the  Tabular  System  Analysis  (TASA)  of  the  Ka-Band  SATCOM 
Set.  Part  I,  Volume  HI  contains  Appendix  C which  presents  detailed  results  of  the 
numerical  reliability,  availability  and  dependability  predictions  for  the  Ka-Band 
SATCOM  Set.  Part  n contains  guidelines  for  an  Integrated  Reliability  and 
Maintainability  (R/M)  Program  Plan  intended  as  a model  for  the  specific  R/M 
plans  that  will  be  required  for  the  procurement  of  future  generation  systems. 
Part  III  is  the  DEPEND  Computer  Program  User’s  Manual.  The  DEPEND 
(Determination  of  Equipment  Performance  and  Expected  Nonoperational  Delay) 
program  is  used  to  perform  the  arithmetic  and  documentation  for  the  Tabular 
System  Analysis. 
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SECTION  I 


INTRODUCTION  AND  SUMMARY 


This  manual  describes  the  use  of  the  DEPEND*  computer  program  to 
obtain  values  for  dependability,  availability,  reliability  and  related  performance 
parameters  for  all  the  assemblies  of  a system's  functional  hierarchy.  The  model 
utilized  with  this  program  provides  for  the  use  of  alternative  malfunction  ana 
failure  definitions  and  calculates  the  corresponding  probabilities  of  assembly 
malfunction  or  failure;  that  is,  the  undependabilities,  unavailabilities  and 
unreliabilities.  The  DEPEND  program  keeps  track  of  all  the  organizational  details 
of  the  model  as  well  as  performing  the  arithmetic.  The  mathematical  basis  and 
historical  development  of  this  technique  are  described  in  Part  I of  this  report. 

Except  for  two  subroutines,  DEPEND  is  coded  in  FORTRAN  Extended 
4.6  language.  The  two  subroutines  are  coded  in  COMPASS  which  is  the  assembly 
language  for  Control  Data  Corporation  (CDC)  Cyber  70  Series,  6000  Series  and 
7000  Series  computer  systems.  DEPEND  is  currently  operational  on  the  Wright- 
Patterson  AFB  CDC  6600  computer  system.  Some  adaptation  will  be  required  to 
operate  the  program  on  other  than  CDC  computer  systems. 

The  mathematical  models,  details  of  the  analysis  methods  and  the 
results  obtained  in  an  analysis  of  an  airborne  EHF  communications  terminal  are 
presented  in  Part  I of  this  3-part  final  project  report.  Part  n is  an  integrated 
Reliability/Maintainability  Program  Plan  that  uses  the  TASA/DEPEND  methodolo- 
gy as  a tool  for  program  visibility  and  management  control.  This  part,  Part  HI,  of 
the  project  report  is  a User's  Manual,  containing  instructions  for  use  of  the 
TASA/DEPEND  methodology.  Extensive  computer  experience  is  not  required,  but 
it  is  assumed  that  the  user  has  detailed  technical  knowledge  about  the 
organization  and  functioning  of  the  system  to  be  analyzed. 

The  complete  analysis  procedure  consists  of  the  three  processes, 
Tabular  System  Analysis  (TASA),  acquisition  of  the  required  functional  element 
data  (MTBF  or  MTTR)  and  computation  using  the  DEPEND  computer  program. 
Although  the  primary  concern  of  this  part  of  the  report  is  to  provide  the  detailed 
instructions  for  using  the  DEPEND  program,  it  is  necessary  to  also  discuss  the 
other  two  processes  of  the  analysis. 


* Determination  of  Equipment  Performance  and  Expected  Nonoperational  Delay. 
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SECTION  II 


TABULAR  SYSTEM  ANALYSIS  (TASA) 


It  is  usual  engineering  practice  to  describe  a system  as  a nested 
organization  of  interdependent  and  interacting  devices  operating  to  accomplish  a 
specified  function.  To  assess  overall  system  dependability,  availability,  or 
reliability,  it  is  necessary  to  consider  the  individual  "ilities"  of  the  components 
and  subsystems  which  are  the  constituent  elements.  This  assessment  requires 
considering  the  consequences  of  malfunctions  or  failures  occurring  in  the  various 
subsystems,  both  singly  and  in  combination,  in  terms  of  functional  states  of 
components  and  other  assemblies  that  can  be  defined  in  an  overall  description  of 
the  system. 

The  initial  step  in  an  application  of  TASA  is  to  develop  a chart  or  charts 
showing  the  functional  hierarchy  of  the  elements,  assemblies  and  subsystems  that 
make  up  the  system.  The  partitioning  of  the  system  into  functional  assemblies  is 
not  critical  with  respect  to  the  DEPEND  program.  However,  it  is  recommended 
that  the  partitioning  be  done  in  a way  that  simplifies  the  determination  of  the 
consequences  of  malfunctions  or  failures;  that  is,  simplifies  the  functional 
complexity.  Otherwise,  the  consequence  determination  step  of  TASA  (which  will 
be  described  later)  becomes  unnecessarily  complicated. 

Figure  1 is  an  example  of  a functional  hierarchy  that  describes  the  upper 
levels  of  the  airborne  Ka-Band  SATCOM  Terminal*.  The  Ka-Band  Terminal  has 
three  primary  functional  links,  the  forward  link,  the  report-back  link  and  the 
conference  link.  Part  of  the  system  elements  are  functionally  common  to  two  or 
more  links**.  It  is  also  necessary  to  consider  the  system  initialization  (start-up) 
function  and  the  primary  power  source. 

It  is  important  to  recognize  that  function  is  distributed  across  time  as 
well  as  across  hardware  components.  This  is  illustrated  in  Figure  1 by  noting  that 
the  three  links  of  the  Ka-Band  Terminal  operate  for  different  lengths  of  time 
during  a mission.  To  simplify  the  logic  as  well  as  facilitate  computations, 
functional  blocks  have  been  added  to  express  the  transition  from  one  functional 
cycle  of  use  of  a specific  assembly  to  the  transmission  or  reception  of  one 
message  and  ultimately  the  total  numbers  of  messages  transmitted  and  received 
during  the  mission. 

Concurrently  with  the  development  of  the  functional  hierarchy  for  the 
system,  mutually  exclusive  functional  states  are  defined  for  each  assembly  and 
subassembly  in  the  system  hierarchy.  Thus,  the  functional  state  of  the  system  is 


• The  numbers  in  the  lower  left  hand  corners  of  the  functional  blocks  are  assigned 
for  use  as  identifiers  throughout  the  analysis. 

••  Functionally  common  means  that  a malfunction  or  failure  will  cause  more  than 
one  link  to  be  degraded  or  inoperative. 
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FIGURE  1.  KA-Band  Satcom  Set  Functional  Diagram 


represented  as  depending  upon  the  functional  states  of  the  next  lower  level  of 
assemblies  and  so  on  down  to  the  lowest  level  subassemblies  (elements)  for  which 
meaningful  functional  states  can  be  defined.  The  resulting  arrangement  of 
assemblies  and  their  functional  states  may  be  thought  of  as  a state  tree.  This 
state  tree  is  similar  to  the  fault  tree  of  Fault-Tree  Analysis  and,  indeed,  that  is 
its  origin.  However,  the  state  tree  is  not  limited  to  faults  and  can  include  almost 
anything  pertinent  to  the  system's  function.  Furthermore,  because  TASA 
considers  all  possible  combinations  of  states,  the  TASA  state  tree  corresponds  to 
all  of  the  possible  Fault  Trees  for  the  system  together  with  the  trees  associated 
with  other  states  that  are  not  actually  faults.  Table  1 is  an  example  listing  of 
functional  state  definitions  corresponding  to  the  functional  hierarchy  of  the 
airborne  Ka-Band  Terminal  previously  shown  in  Figure  1. 

The  third  part  of  the  TASA  is  the  engineering  determination  of  the 
functional  state  of  each  system  assembly  based  on  various  combinations  of  the 
functional  states  of  their  constituent  assemblies.  Tabular  work  sheets  are 
provided*  for  TASA  use  that  list  in  a systematic  manner  selected  combinations  of 
input  assembly  functional  states.  With  these  tables,  up  to  697  separate 
engineering  decisions  are  made  and  documented  in  the  analysis  of  each 
assembly**. 

The  basic  concept  underlying  this  part  of  TASA  is  to  assume  a particular 
combination  of  the  functional  states  for  all  of  the  subassemblies  that  make  up  a 
given  assembly  and  then  make  an  engineering  estimate  of  functional  consequences 
in  terms  of  the  assembly  functional  state  that  would  result.  This  process  is 
repeated  for  all  combinations  of  subassembly  functional  states  under  the  practical 
constraints  that  no  more  than  3 subassembly  functional  states  will  be  varied 
si  m ultaneously . * * * 

The  preprinted  tables  of  up  to  28  pages  of  25  lines  per  page  are  a 
shorthand  representation  of  the  reliability  model  for  each  system  assembly.  Each 
line  (or  row)  represents  a term  in  the  reliability  model  for  an  assembly  functional 
state.  These  tables  are  essentially  a binary  count  with  the  restriction  that  only 
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* A complete  set  of  the  28  pages  of  TASA  work  sheets  is  included  as  Section  VI 
of  this  manual. 

*•  This  number  is  a practical  limit  of  the  DEPEND  computer  program.  It  does 
not  limit  the  application  of  TASA  because  additional  subassembly  groupings 
can  always  be  defined  to  overcome  any  problems  this  practical  limit  might 
cause. 

•*•  The  DEPEND  program  computations  include  an  estimate  of  a "residual" 
probability  that  the  assembly  is  in  a state  resulting  from  simultaneous 
occurrence  of  more  than  3 subassembly  malfunction  or  failure  states. 
Experience  shows  that  the  value  of  this  probability  is  usually  small  in 
comparison  with  the  other  values  computed.  However,  it  is  incorporated  in 
subsequent  calculations  so  that  its  effect  is  considered  throughout  the 
analysis. 
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TABLE  1 

EXAMPLE  ASSEMBLY  IDENTIFICATIONS  AND  FUNCTIONAL  STATE  DEFINITIONS 
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rows  containing  three  "l's"  or  less  are  included.  The  analysis  proceeds  by 
assigning  input  subassembly  states  to  columns  of  the  table  working  from  right  to 
left.  A ”1"  appearing  in  a column  signifies  the  occurrence  of  the  malfunction  or 
failure  state  of  the  input  subassembly  or  element  which  that  column  represents. 
The  engineering  analysis  proceeds  by  determining  for  each  row  of  the  table  the 
consequences  of  the  combination  of  input  malfunction  or  failure  states  denoted  by 
the  "l's"  appearing  in  that  row  in  terms  of  the  functional  states  defined  for  the 
assembly.  During  this  analysis  it  is  frequently  necessary  to  assign  the 
consequential  assembly  functional  state  for  simultaneous  input  malfunction  and 
failure  states  on  a dominance  basis;  that  is,  one  input  malfunction  or  failure  state 
produces  consequences  that  dominate  over  the  effect  of  other  simultaneously 
occurring  states. 

At  the  basic  level,  each  column  of  the  TASA  table  represents  an  input 
element  malfunction  or  failure  state  that  has  a known  probability  of  occurrence. 
A "1"  appearing  in  this  column  signifies  the  occurrence  of  that  malfunction  or 
failure  state  while  a "0"  signifies  that  the  state  has  not  occurred.  Thus,  there  is  a 
"probability  of  nonoccurrence"  associated  with  each  "0".  By  multiplying  the 
probabilities  associated  with  each  of  the  "l's"  and  "0's"  in  a row,  one  term  is 
obtained  of  the  "ility"  equation  for  the  assembly  function  state  assigned  to  that 
row  by  the  analyst.  The  sum  of  the  terms  for  all  rows  assigned  to  a particular 
assembly  functional  state  is  an  "ility"  model  for  that  state.  There  is  a 
corresponding  model  for  each  malfunction  and  failure  state  for  each  assembly 
throughout  the  system  hierarchy. 

The  performance  of  this  part  of  the  TASA  is  illustrated  by  the 
following  example.  Let  Assembly  4 consists  of  functional  subassemblies  1,  2 and 
3.  The  Assembly,  and  each  subassembly,  has  three  mutually  exclusive  functional 
states;  normal,  degraded  and  inoperative.  Whenever  Subassembly  1 is  inoperative, 
Assembly  4 will  also  be  inoperative.  However,  Subassembly  2 and  Subassembly  3 
are  redundant  so  that  Assembly  4 will  continue  to  operate  (although  in  a degraded 
mode)  as  long  as  Subassembly  1 and  either  of  the  other  two  subassemblies  are 
operational.  If  none  of  the  three  subassemblies  is  operating  normally,  the 
assembly  is  considered  to  be  in  the  inoperative  state. 

The  functional  hierarchy  for  this  example  is  shown  at  the  top  of  Figure 
2.  For  this  simple  example,  the  list  of  possible  functional  states  is  included  in 
each  block.  At  the  bottom  of  the  figure,  a number  of  the  possible  combinations  of 
states  are  listed  together  with  the  consequence  state  for  the  assembly. 

The  TASA  Work  Sheet  for  this  example  is  shown  in  Table  2.  First  note 
that  consequence  state  "9"  is  reserved  for  identifying  impossible  combinations  of 
subassembly  states.  Since  it  is  required  that  the  functional  state  definitions  be 
mutually  exclusive,  it  is  impossible  for  one  subassembly  to  be  in  both  the  degraded 
(not  failed)  state  and  the  failed  state.  When  the  TASA  work  sheet  directs 
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TABLE  2.  TASA  WORKSHEET  FOR  EXAMPLE  ANALYSIS 
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consideration  of  such  a state  combination,  the  impossibility  is  indicated  by 
entering  "9"  as  a consequence  state*. 

The  inoperative  state  of  Subassembly  1 is  seen  to  dominate  the  state 
of  the  other  two  subassemblies  (card  columns  16-26  of  page  1).  However,  when 
Subassembly  1 is  operating  normally,  (card  columns  1-15  of  page  1),  the 
redundancy  of  Subassemblies  2 and  3 is  seen  in  that  only  the  inoperative  state  of 
both  results  in  an  inoperative  assembly  (card  column  6 of  page  1). 

For  this  example,  the  analyst  chose  to  consider  the  assembly  to  be 
degraded  if  there  is  a fault  in  any  subassembly.  In  a different  example,  a 
different  definition  might  have  been  used  for  assembly  degradation  so  that  as  long 
as  Subassembly  1 and  either  Subassembly  2 or  3 are  operating  normally,  the 
assembly  operation  is  considered  to  be  normal.  This  would  affect  card  columns  2- 
9 of  page  1 of  the  TASA  Work  Sheet  as  shown  in  Table  3. 

Referring  back  to  Page  2 of  Table  2,  the  inoperative  assembly 
consequence  shown  in  card  columns  7,  8, 10  and  11  is  the  result  of  the  requirement 
that  the  assembly  be  considered  inoperative  if  there  is  a fault  in  each 
subassembly.  Removal  of  this  requirement  would  permit  card  columns  8,  10  and 
11  to  be  changed  to  ”1"  indicating  that  in  these  cases  the  assembly  would  be  in  the 
degraded  state. 

The  complete  documentation  of  each  of  the  engineering  decisions 
pertaining  to  the  consequences  of  a given  combination  of  subassembly  malfunction 
or  failure  states  is  an  important  benefit  of  TASA.  The  DEPEND  program  provides 
for  an  optional  reproduction  of  the  TASA  work  sheets.  This  documentation  makes 
detailed  review  of  the  analysis  by  other  engineering  personnel  practical.  This  is 
particularly  beneficial  where  problems  have  been  detected  by  the  analysis.  The 
detailed  engineering  review  of  the  analysis  can  provide  significant  insight 
concerning  possible  causes  of  the  problem  and  potential  technical  solutions. 


• The  DEPEND  program  checks  for  "impossible"  combinations  and  corrects  the 
analyst  if  necessary.  When  such  corrections  occur,  the  analysis  should  be 
checked  since  possible  state  combinations  may  have  been  incorrectly 
declared  as  impossible. 
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TABLE  3.  TASA  WORKSHEET  FOR  SECOND  EXAMPLE 
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SECTION  m 


ACQUISITION  OF  FUNCTIONAL  ELEMENT  DATA 

To  operate  the  DEPEND  program,  MTBF  and  MTTR  data  are  required 
for  each  malfunction  and  failure  state  defined  for  each  functional  element*  of 
the  system.  In  the  early  stages  of  system  development,  when  the  emphasis  is 
placed  on  "ility"  prediction,  the  procedures  of  MIL-HDBK-217B  and  MIL-HDBK- 
472  can  be  used  to  predict  the  MTBF  and  MTTR  for  each  element  malfunction  and 
failure  state.  The  resulting  DEPEND  outputs  are  the  "ility"  predictions  for  the 
system.  Where  actual  experience  data  are  available  for  the  functional  elements, 
these  data  can  be  used.  In  this  case  the  DEPEND  outputs  are  an  "ility"  assessment 
of  the  system.  Bayesian  combinations  of  predicted,  experience  and  test  data  can 
also  be  used  to  generate  a practical  set  of  element  MTBF  and  MTTR  values.  One 
procedure  for  making  such  combinations  is  described  in  Part  1 of  this  report.  In 
any  case,  the  credibility  and  interpretation  of  the  analysis  results  will  depend  on 
the  validity  and  choice  of  the  element  data  used.  Thus,  it  is  necessary  to 
document  and  substantiate  the  source  of  element  MTBF  and  MTTR  values  used  as 
input  for  the  DEPEND  program. 


• Note  that  element  refers  only  to  the  lowest  functional  block  of  the  system 
hierarchy. 
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SECTION  IV 


USING  THE  DEPEND  PROGRAM 


The  DEPEND  program  runs  in  batch  mode  from  a punched  card  deck 
that  consists  of  a control  record,  relocatable  binary  program,  and  four  data 
records.  The  card  deck  structure  is  shown  in  Table  4. 

GENERAL  INPUT  DATA  REQUIREMENTS 

Operation  of  the  DEPEND  program  requires  the  user  to  supply  four 
types  of  data:  (1)  output  control  data,  (2)  assembly  identifications  and  functional 
state  definitions,  (3)  element  MTBF  and  MTTR  values,  (4)  functional  operation 
data,  structure  data  and  fault  consequence  data.  Specific  requirements  for  input 
of  these  data  are  given  in  the  next  section.  As  a general  rule,  integer  data  must 
be  right  justified  in  its  card  field.  Fixed  point  numbers  may  be  placed  anywhere  in 
the  data  field  providing  the  decimal  point  is  included.  Floating  point  numbers 
must  be  right  justified  in  their  card  field. 

SPECIFIC  INPUT  DATA  REQUIREMENTS 

As  stated  previously,  the  input  card  deck  consists  of  five  records  in 
addition  to  the  relocatable  binary  program.  Initially  it  will  be  necessary  to  obtain 
the  assistance  of  computer  operating  personnel  to  compile  the  program  on  the 
user's  CDC  computer  system*.  After  the  relocatable  binary  deck  has  been 
obtained  and  verified  with  a check  program,  the  user  can  assemble  the  input  card 
deck  as  described  below. 

Job  Control  and  Program  Records 

The  operation  of  the  DEPEND  computer  code  to  perform  the  TASA 
calculation  requires  a job  control  record  similar  to  that  shown  in  Table  5 which 
utilizes  a relocatable  binary  program  deck  via  the  INPUT,  program  call.  The  copy 
utility  routines  are  then  used  to  transfer  results  to  the  computer  output  file. 


TABLE  5.  TYPICAL  DEPEND  JOB  CONTROL  RECORD 


JOBCARD. 

INPUT. 

COPY,  TAPE  9,  OUTPUT. 
COPY,  TAPE  8,  OUTPUT. 
COPY,  TAPE  1,  OUTPUT. 
(789.)  EOR 

Relocatable  Binary  Program 
(789)  EOR 


* The  FORTRAN  Extended  Compiler  (FTN)  Version  4 should  be  used. 
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TABLE  4.  DEPEND  PROGRAM  INPUT  DECK  STRUCTURE 

[Job  Control  Record] 

(789)  EOR 

[Relocatable  Binary  Program  Deck] 

(789)  EOR 

[Data  Record  1 — Output  Control  Card  and  Title] 

(789)  EOR 

[Data  Record  2 — Assembly  Identification  and  Functional  State 
Identification] 

(789)  EOR 

[Data  Record  3 — Element  MTBF  and  MTTR  Data] 

(789)  EOR 

[Data  Record  4 — System  Functional  Model] 

(6789)  EOJ 


Several  options  are  available  by  deleting  control  cards.  If  the 
paragraph  summaries  of  results*  are  not  desired,  TAPE  1 should  not  be  printed. 
Deleting  the  printing  of  TAPE  9 will  eliminate  the  percentage  contribution 
tables*.  Deleting  the  printing  of  TAPE  8 will  eliminate  the  analysis  tables*  from 
the  output. 


The  binary  program  deck  is  inserted  following  the  control  record. 
Following  this,  the  four  data  records  are  inserted  in  the  order  described  below. 

Output  Control  and  Title  (Data  Record  1) 

The  first  data  record  consists  of  an  output  control  card  followed  by  up 
to  five  title  cards  and  ends  with  a (789)  EOR  card. 

The  first  card  of  this  record  (output  control  card)  contains  four  logical 
values  and  the  ATTR  Weighting  Factor  all  separated  by  commas.  A .TRUE,  value 
of  the  first  logical  variable  will  cause  a listing  of  the  state  identifications  to  be 
printed.  If  the  second  logical  variable  is  .TRUE.,  a listing  of  the  element  MTBF 
and  MTTR  values  and  a listing  of  the  corresponding  reliability/unreliability  and 
availability/unavailability  values  are  printed.  Setting  the  third  logical  variable  to 
.TRUE,  causes  the  analysis  tables  to  be  recorded  on  TAPE  8.  if  the  fourth  logical 
variable  is  .TRUE,  the  percentage  contribution  tables  will  be  recorded  on  TAPE  9. 

The  ATTR  Weighting  Factor  is  used  by  the  program  whenever  the 
calculations  involve  states  including  more  than  one  malfunction.  In  such  cases, 
the  largest  of  the  pertinent  restore  times  is  extended  by  a portion  of  the  sum  of 
the  other  pertinent  restore  times.  If  the  value  of  the  Weighting  Factor  is  zero, 
only  the  longest  of  the  pertinent  restore  times  is  utilized.  A Weighting  Factor 
value  of  1.0  will  cause  the  sum  of  the  pertinent  restore  times  to  be  employed  in 
the  calculations.  Intermediate  values  of  the  Weighting  Factor  will  cause  a 
corresponding  portion  of  the  summed  restore  times  to  be  used.  The  first  card  of 
Figure  3 illustrates  the  control  card  format  for  the  case  where  all  outputs  are 
required  and  the  value  of  the  ATTR  Weighting  Factor  if  0.8. 


• These  outputs  are  described  in  Section  V of  this  manual. 
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TRUE., .TRUE., .TRUE., .TRUE., 0.8 

DEPEND  ABILITY /RELIABILITY /AVAILABILITY/MAINTAIN  ABILITY  ANALYSIS 

OF  THE 

ADM  SATCOM  COMMUNICATIONS  TERMINAL 
PREPARED  FOR 

THE  AIR  FORCE  AVIONICS  LABORATORY 


FIGURE  3.  EXAMPLE  OUTPUT  CONTROL  AND  TITLE  RECORD 


Following  the  control  card,  up  to  5 cards  may  be  used  to  provide  a title 
for  the  analysis.  Each  card  is  an  80-character  line  of  the  title  that  will  be  printed 
starting  in  column  22  of  the  output  title  page.  If  fewer  than  five  cards  are  used, 
the  (789)  EOR  card  will  control  the  title  length.  An  example  title  is  shown  in 
Figure  3. 

Assembly  Identification  and  Functional  State  Definition  (Data  Record  2) 

The  second  data  record  consists  of  identifications  of  all  the  elements, 
subassemblies  and  assemblys  in  the  system  and  definitions  of  their  functional 
states.  The  cards  may  be  in  any  order  but  it  is  recommended  that  the  numeric 
sequence  be  retained  within  cards  for  a given  functional  block.  The  first  three 
columns  of  each  card  are  the  identification  number  assigned  for  the  element, 
subassembly  or  assembly;  the  fourth  column  is  a decimal  point  and  the  fifth 
column  is  the  state  number  in  the  range  from  0 to  8.  State  number  0 is  used  to 
denote  the  element,  subassembly  and  assembly  identifications.  Columns  6 through 
10  are  not  utilized  by  the  computer  and  may  be  left  blank.  The  alphanumeric 
identification  corresponding  to  the  numeric  identification  appears  in  columns  11 
through  80.  An  example  of  this  data  record  was  shown  previously  in  Table  1.  This 
data  record  is  terminated  by  a (789)  EOR  card. 

Element  Data  (Date  Record  3) 


The  third  data  record  contains  the  input  data  for  the  analysis  elements 
in  the  form  of  MTBF  and  MTTR  values  for  each  malfunction  and  failure  state. 
The  format  of  these  data  is  listed  in  Table  6. 


If  the  number  of  element  states  (column  5)  is  greater  than  4,  the  MTBF 
and  MTTR  values  are  continued  on  a second  card  starting  in  column  16.  The 
element  number  must  be  repeated  on  this  card  in  columns  1-3  and  76-78  and  the 
sequence  number  02  is  punched  in  columns  79-80. 


Data  Record  3 is  terminated  by  a (789)  EOR  card.  An  example  listing 
of  this  data  record  is  shown  in  Figure  4. 

System  Functional  Model  (Data  Record  4) 


Data  record  4 must  contain  an  entry  for  each  nonelemental  assembly 
in  the  system.  Each  such  entry  will  consist  of  two  or  more  cards.  The  first  card 
describes  the  characteristics  of  the  assembly  using  the  format  listed  in  Table  7. 


The  model  data  for  the  assembly  is  entered  starting  with  the  second 
card.  This  data  consists  of  the  consequence  assignments  from  the  TASA  Work 
Sheets.  There  may  be  up  to  697  such  assignments  depending  upon  the  number  of 
input  malfunction  or  failure  states.  These  data  are  entered  with  25  values  per 
card  (26  for  the  first  card)  using  the  format  shown  in  Table  8.  An  example  Data 
Record  4 is  shown  in  Figure  5. 

The  (6789)  EOJ,  end-of-job,  card  follows  the  model  data  for  the  last 
assembly  and  terminates  Data  Record  4. 
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ELEMENT  DATA  CARD  FORMAT 


Contents 

Element  identification  number 

Must  be  blank 

Number  of  malfunction  or  failure  states 
value  must  be  in  range  0 to  8 inclusive 

Number  of  functional  cycles  of  use  during 
the  time,  TUSE 

TUSE  “ time  of  use  in  seconds 
MTBF  for  first  malfunction  state  in  hours 
MTTR  for  first  malfunction  state  in  hours 
MTBF  for  second  malfunction  state  in  hours 
MTTR  for  second  malfunction  state  in  hours 
MTBF  for  third  malfunction  state  in  hours 
MTTR  for  third  malfunction  state  in  hours 
MTBF  for  fourth  malfunction  state  in  hours 
MTTR  for  fourth  malfunction  state  in  hours 
Element  identification  number 
Card  sequence  number  ■ 01 


TABLE  7.  ASSEMBLY  DATA  CARD  FORMAT 


Column 

Field  Length 

Contents 

1-3 

3 

Assembly  Number 

4 

1 

Blank  Column 

5 

1 

Number  of  malfunction/failure  states 

6-10 

5 

Number  of  functional  cycles  for  assembly 

11-15 

5 

Length  of  one  functional  cycle  in 
seconds 

16-17 

2 

Number  of  input  malfunction/failure 
states 

18-19 

2 

Number  of  input  elements/subassemblies 

20-22 

3 

Identification  number  of  first  element/ 
subassembly 

23-25 

3 

Identification  number  of  second  element/ 
subassembly 

26-28 

3 

Identification  number  of  next  element/ 
subassembly 

29-67 

13  x 3 

Identification  numbers  of  up  to  13 
more  elements/subassemblies 

68-73 

5 

Blank  columns 
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Figure  5.  Example  Tasa  Model  Data  Record 


TABLE  8.  MODEL  DATA  FORMAT 


Column 


1 

2-26 

27-73 


Field  length 
1 

25  x 1 
47 


Contents 


0 on  first  card,  on  subsequent  cards 
Consequence  assignments  - (Integers  0-9,  inclusive) 
Blank  field 


RUNNING  THE  PROGRAM 


After  the  input  card  deck  is  assembled,  it  is  entered  into  the  computer 
via  the  card  reader.  The  program  performs  an  audit  of  the  input  data  and  issues 
data  error  diagnostic  messages  as  required.  Also,  a summary  of  run  performance  is 
entered  into  the  DAYFILE  record  printed  at  the  end  of  the  run. 

Error  Diagnostic  Messages  and  Location  Aids 

The  data  audit  routines  check  for  a number  of  common  data  errors  and 
issue  diagnostic  messages  as  required.  The  program  will  attempt  to  examine  all  of 
the  data  input  even  though  errors  are  encountered  so  that  the  number  of  data 
debugging  iterations  is  minimized.  Table  9 is  a listing  of  the  diagnostic  messages 
that  may  be  issued  together  with  an  interpretation  of  meaning.  In  several  cases, 
the  program  makes  checks  of  it's  stored  data  and  issues  diagnostics  if  errors  are 
detected.  These  diagnostics  should  not  appear  and  if  they  do  the  help  of  computer 
operating  personnel  is  needed. 

The  computer  system  will  issue  a FATAL  ERROR  - ILLEGAL  DATA  IN 
FIELD  diagnostic  and  abort  the  program  if  it  encouters  non-numeric  data  in  a 
numeric  field  of  the  input  card  decks.  This  error  will  also  be  encountered  in 
certain  cases  when  the  number  of  model  (consequence)  cards  does  not  agree  with 
the  number  of  subassembly/element  states  designated  on  the  structure  card. 

It  is  essential  that  the  format  rules  for  the  data  cards  be  followed. 
Otherwise  the  results  obtained  will  be  incorrect.  A Mode  2 error  "*ERROR  DATA 
INPUT  * DATA  OVERFLOW*  diagnostic  may  result  when  a floating  point  entry  is 
not  right  justified  in  the  card  field. 

When  a FATAL  ERROR  - INDEX  KEY  UNKNOWN  diagnostic  is 
encountered,  the  usual  meaning  is  that  an  assembly  has  referenced  a subassembly 
or  element  for  which  no  identification  or  state  definition  data  have  been  entered. 
Thus,  either  the  structure  card  is  incorrect  or  a subassembly  or  element  is  missing. 

Run  Performance  Summary 

The  program  prints  a number  of  DAYFILE  messages  pertaining  to  the 
program  operation.  In  particular,  messages  are  printed  giving  the  starting  time*, 
finishing  time*  and  time  used*  for  important  subroutines  in  the  program.  The 
number  of  passes  required  by  the  scheduling  routines  is  also  reported.  In  case  of  a 
fatal  error  these  data  help  to  indicate  the  progress  through  the  program  code.  An 
example  Run  Performance  Summary  is  shown  in  Figure  6. 


* These  times  are  in  terms  of  elapsed  central  processor  seconds. 
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TABLE  9.  LISTING  OF  DEPEND  ERROR  DIAGNOSTIC  MESSAGES 
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Figure  6.  Example  Run  Performance  Summary 
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SECTION  V 


DEPEND  PROGRAM  OUTPUTS 

The  DEPEND  program  outputs  a number  of  listings  relating  to  the  audit 
of  input  data  as  well  as  the  results  of  the  calculation.  The  following  descriptions  of 
these  outputs  are  given  in  the  order  they  occur  in  a typical  run. 

INPUT  DATA  PROCESSING  AND  AUDIT 

As  discussed  previously,  the  input  data  required  for  using  the  DEPEND 
program  includes  identifications  for  the  elements  and  assemblies,  definitions  of  the 
functional  states,  MTBF  and  MTTR  data  for  all  the  elements,  and  the  functional 
model  structure  and  state  consequence  data.  Several  output  listings  are  provided 
to  document  the  data  used  in  the  run  and  to  aid  in  the  audit  or  correction  of  the 
input  data  when  necessary. 

Assembly/Element  Identification  and 
Functional  State  Definitions 

As  noted  previously  in  Section  IV,  the  assembly/element  identification 
is  input  as  the  definition  for  the  normal  functional  state  and  has  the  numeric  label 
ending  in  .0.  The  DEPEND  program  output  offers  an  optional  alphanumeric  listing 
of  these  data  in  ascending  order  of  the  numeric  label.  An  example  of  this  listing 
was  shown  previously  in  Table  1.  This  listing  is  obtained  by  setting  the  first  field  of 
the  output  control  card  to  .TRUE,  and  is  eliminated  if  this  field  is  .FALSE.  In  any 
case,  a sorted  list  is  printed  of  the  numeric  labels  of  all  the  assembly  or  element 
identifications  and  functional  state  definitions  that  were  read.  An  example  of  this 
output  is  shown  in  Figure  7. 

Element  Data  Listings 

Several  types  of  outputs  relating  to  the  element  data  are  printed  by  the 
computer.  These  ares  input  card  images,  numerical  list  of  elements  processed,  and 
optional  listings  of  processed  element  data. 

To  provide  a record  of  the  element  data  used  in  the  DEPEND  run  and  to 
aid  the  correction  of  errors  or  changing  of  input  data,  a card  image  listing  of  the 
element  data  record  is  printed.  An  example  of  this  output  is  shown  in  Figure  8. 

A numerically  ordered  list  of  the  elements  for  which  data  have  been 
read  is  printed  by  the  computer.  This  list  is  useful  for  cross  checking  the  structure 
of  the  functional  model  and  as  a record  of  the  elements  included  in  the  run.  An 
example  of  such  a list  is  shown  in  Figure  9. 
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By  setting  the  second  field  of  the  output  control  card  to  .TRUE,  two 
listings  of  processed  element  data  are  obtained.  Both  listings  are  ordered  by 
increasing  numeric  label  and  include  the  element  identifications  and  functional 
state  definitions.  Also  included  are  the  data  for  number  of  functional  cycles  and 
use  time  per  functional  cycle.  The  first  listing  documents  the  MTBF  and  MTTR 
values.  An  example  of  this  listing  is  shown  in  Figure  10.  The  second  listing  shows 
the  calculated  values  of  reliability  and  availabiltiy  based  on  these  data.*  An 
example  of  this  output  is  shown  in  Figure  11  . 

Functional  Model  Data  Listings 

The  DEPEND  program  output  includes  two  types  of  listings  to  document 
the  functional  model  data.  These  are  a listing  of  input  card  images  and  an  optional 
listing  that  reproduces  the  TASA  work  sheet  format  to  show  the  details  of  the  state 
combinations  and  consequence  assignments. 

The  listing  of  input  card  images  from  the  model  input  deck  documents 
the  data  used  for  the  DEPEND  run.  It  is  a primary  means  of  tracking  down  errors 
and  debugging  the  model  data.  An  example  page  of  this  listing  is  shown  in  Figure 
12. 


The  system  functional  model  is  actually  documented  in  the  TASA  work 
sheets.  Setting  the  third  field  of  the  output  control  card  to  .TRUE,  causes  the 
computer  to  reproduce  the  TASA  data  in  tabular  form  on  a file  named  TAPE  8. 
Copying  TAPE  8 to  output  provides  a printed  record  of  the  TASA  including  the 
identification  of  the  elements,  subassemblies  and  assemblies  and  the  consequences 
determined  for  each  combination  of  element/subassembly  states  for  each  assembly. 
As  a general  rule,  once  the  model  has  been  debugged  and  a finalized  copy  of  this 
listing  obtained  the  listing  will  not  be  printed  for  runs  made  with  updated  element 
data.  However,  this  listing  does  provide  a comprehensive  documentation  of  the 
model  structure  and  consequence  assignments  used  for  the  DEPEND  run.  An 
example  page  of  this  State  Assignment  Listing  is  shown  in  Figure  13.  Note  that  the 
listing  for  just  this  one  assembly  continues  for  4 more  pages  of  the  computer 
output.  The  total  listing  for  a system  of  any  size  is  quite  large.  A title  page  is 
provided  for  the  listing  so  that  it  is  an  independent  documentation  of  the  model. 

ANALYSIS  SCHEDULE 

The  actual  operation  of  the  DEPEND  program  is  to  perform  the 
computations  for  each  functional  assembly  separately  once  all  the  necessary  input 
data  are  available.  Prior  to  the  start  of  any  computations  a scheduling  routine  is 
used  to  determine  the  order  in  which  the  computations  will  be  performed.  This 
routine  prints  the  resultant  analysis  schedule  showing  the  elements/subassemblies 
used  by  each  assembly  and  the  next  assemblies  to  use  the  results  obtained.  Since 
the  order  of  the  printed  results  are  in  the  order  in  which  computations  are 


* The  mathematical  model  used  for  the  calculation  is  discussed  in  Part  I of  the 
report. 
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Figure  10.  Example  Element  Data  Listing 
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performed,  this  analysis  Schedule  is  an  index  to  the  results  and  to  the  State 
Assignment  Listing  described  above.  An  example  Analysis  Schedule  is  shown  in 
Figure  14. 


ANALYSIS  SUMMARY 

The  results  of  the  DEPEND  calculations  are  output  in  both  tabular  and 
statement  form.  A title  page  is  provided  to  document  the  date  and  time  of  the 
DEPEND  run  and  the  title  of  the  analysis.  An  example  title  page  is  shown  in  Figure 
15. 

Tabular  Summary  of  Results 

The  results  of  the  "ility"  computations  for  each  functional  assembly  are 
printed  in  an  Analysis  Summary  on  one  page  of  the  computer  output.  An  example 
Analysis  Summary  is  shown  in  Figure  16.  At  the  top  of  the  summary,  the  assembly 
is  identified  together  with  the  other  assemblies  which  use  it  if  any. 

Next  are  listed  the  subassembly  or  element  state  data  employed  in 
terms  of  the  probability  of  state  occurrence  during  use  (unreliability)  and 
unavailability.  The  entry  ENT*  following  the  label  denotes  an  element  while 
CMP**  denote  a subassembly.  The  number  of  functional  cycles,  the  time  used  per 
cycle  and  the  average  restore  time  are  also  listed.  Note  that  the  unreliabilities  and 
unavailabilities  for  the  assembly  functional  states  are  only  printed  in  the  Analysis 
Summary  for  the  next  level  Assembly  where  it  is  used.  In  the  case  the  assembly  is 
a top  level  one,  a separate  listing  is  printed  on  the  next  page  to  record  the  "ility” 
data  and  the  undependabiltiy,  unreliability  and  unavailabiltiy  for  each  non-normal 
state.  An  example  of  such  a System  Data  listing  is  shown  in  Figure  17. 
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Referring  again  to  Figure  16,  the  second  part  of  the  Analysis  Summary 
records  the  probabilities  of  occurrence  of  each  functional  state  defined  for  the 
assembly.  The  probability  of  normal  operation  is  the  dependability  while  the 
probabilities  of  occurrence  of  the  other  functional  states  are  the  corresponding 
undependabilities.  An  extra  "residual"  state  is  included  to  account  for  the 
occurrence  of  states  rot  explicitly  defined  including  those  cases  of  four  or  more 
simultaneous  state  occurrences.  Included  in  this  part  of  the  summary  are 
calculated  predictions  of  the  average  time  between  occurrences  of  the  non-normal 
states  and  the  average  time  to  restore  normal  operation  after  such  an  occurrence. 

The  combined  prediction  for  ATBO  expresses  the  average  time  between 
occurrences  of  any  of  the  non-normal  states.  The  combined  ATTR  is  the  average 
restore  time  taking  into  account  the  probability  of  occurrence  of  each  non-normel 
state. 


* Entered  data 
••  Computed  estimate 
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Figure  16.  Example  Analysis  Summary 


Statement  of  Results 


At  the  bottom  of  each  Analysis  Summary  is  printed  a statement 
summarizing  the  operation,  "ility"  results,  expected  number  of  occurrences  of  non- 
normal  states  and  the  delay  that  the  system  user  is  expected  to  experience  in  case 
of  a malfunction. 


The  DEPEND  program  writes  a slightly  expanded  version  of  these 
statements  of  results  on  the  file  named  TAPE  1.  By  copying  this  file  to  OUTPUT,  a 
compilation  of  all  the  statements  of  results  is  obtained.  An  example  page  of  this 
listing  is  shown  in  Figure  18. 


OPTIONAL  SENSITIVITY  TABULATIONS 


When  the  fourth  field  of  the  output  control  card  is  set  to  .TRUE.,  the 
DEPEND  program  will  output  the  results  of  sensitivity  calculations  for  each 
assembly  onto  a file  named  TAPE  9.  Copying  this  file  to  OUTPUT  produces  a 
printed  listing  of  these  results.  * ■ 

Percentage  Contribution  Tabulations 


The  results  of  the  sensitivity  calculations  are  presented  in  terms  of  the 
percentage  contribution  of  each  element  or  subassembly  state  to  the  unavailability, 
unreliability  and  undependability  for  each  defined  assembly  state.  An  example 
page  of  this  output  is  shown  in  Figure  19. 

From  this  tabulation  the  relative  importance  of  each  element  or 
subassembly  state  to  the  malfunctioning  or  failure  of  the  assembly  can  be  easily 
observed.  This  provides  a rational  basis  for  allocating  resources  to  achieve 
improvement  of  the  assembly.  It  also  gives  a basis  for  specifying  "ility" 
requirements  for  the  elements  and  subassemblies  to  assure  that  the  assembly  meets 
it's  "ility"  goals. 

Tracing  System  Sensitivity 

The  number  of  possible  paths  involved  in  tracing  the  percentage 
contribution  to  system  undependabilities,  unreliabilities  and  unavailabilities  makes 
using  a computer  routine  for  this  purpose  impractical.  A large  amount  of  output 
would  be  obtained  for  the  large  number  of  low  or  zero  percentage  paths  which  are 
not  of  interest.  However,  a simple  calculator  procedure  has  been  developed  that 
can  be  used  to  evaluate  the  significant  percentage  contribution  of  components  to 
the  system  undependability,  unreliability  and  unavailability. 

The  assembly  sensitivity  tabulations  from  the  DEPEND  program  results 
are  used  in  a top-down  chain  calculation  that  proceeds  as  follows. 
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Figure  18.  Example  Page  of  Compilation  of  Result  Statements 


Figure  19.  Example  Page  of  Depend  Sensitivity  Tabulation 


r 


Utilizing  the  Percentage  Contribution  to  Assembly  listings  at  the 
system  level  (e.g.  Assembly  2),  select  a system  state  of  interest  and  an  assembly 
state  that  is  a significant  contributor  to  that  system  state.  The  computer  listings 
give  the  percentage  contribution  of  the  selected  assembly  state  to  the  total  system 
undependability,  unavailability  and  unreliability. 

From  the  computer  listings  for  the  assembly  select  the  subassembly 
state  of  interest  and  divide  it’s  percentage  contribution  (from  the  body  of  the 
tables)  by  the  assembly  state  percentage  contribution  (from  the  right-hand  column 
of  the  table).  Multiplying  the  value  previously  determined  for  the  percentage 
contribution  of  assembly  state  to  the  system  "ility"  by  this  ratio  gives  the 
percentage  contribution  of  subassembly  state  to  the  system  "ility". 

A similar  ratio,  determined  from  the  subassembly  listings  and  its' 
product  with  the  subassembly  percentage  contribution  obtained  above,  gives  the 
percentage  contribution  of  the  sub-assembly  state  to  the  system  "ility".  The 
calculations  may  be  continued  down  to  any  desired  level  included  in  the  computer 
analysis. 

An  example  illustrating  this  procedure  is  as  follows:  referring  to  Figure 
19,  42.5%  of  the  system  undependability  is  contributed  by  state  2.1  and  about  two 
thirds  of  this  is  the  28.2%  contribution  of  assembly  state  208.1.  From  the  listing 
for  assembly  208,  shown  in  Figure  20,  it  is  seen  that  33.1%  of  the  assembly 
contribution  is  attributed  to  state  208.1,  and  subassembly  204.1  is  responsible  for 
29.5%  of  the  assembly  208  contribution.  Hence,  (29.5/33.i)  x 28.2%  = 25.1%  of  the 
system  undependability  is  contributed  by  subassembly  state  204.1. 

This  process  is  continued  by  referring  to  the  sensitivity  tabulations  for 
assembly  204  and  so  on  down  through  the  functional  hierarchy.  The  results 
obtained  by  tracing  all  the  significant  paths  may  be  tabulated  to  identify  and  rank 
the  least  dependable  (or  reliable  or  available)  system  elements.  These  results  again 
provide  the  basis  for  guiding  "ility"  improvement  and  specification  efforts. 


! 
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Figure  20.  Example  Sensitivity  Tabulation  for  Assembly  20b 


SECTION  VI 


TASA  WORK  SHEETS 

Following  is  a complete  set  of  TASA  Work  Sheets.  These  sheets  can  be 
reproduced  as  needed  for  analyzing  the  User's  system. 
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GLOSSARY 


Assembly  The  functional  block  at  levels  of  the  functional  hierarchy  above 

the  elemental  level. 

ATBO  The  average  Time  Between  Occurrences  of  a specified  malfunc- 

tion or  failure  state  for  an  assembly  based  on  an  assumption  that 
the  time  distribution  of  their  occurrences  is  exponential. 

ATTR  The  Average  Time  To  Restore  the  assembly  function  to  normal 

following  occurrence  of  a specified  malfunction  or  failure  state. 

ATTR  A factor  ranging  from  0 to  1 used  to  determine  the  time  to 

Weighting  restore  an  assembly's  function  following  the  occurrence  of  a 

Factor  combination  of  two  or  three  subassembly  or  element  malfunction 

and  failure  states. 

Availability  The  probability  that  a specified  assembly  is  functional  at  the  start 
of  each  of  the  specified  number  of  uses  during  the  specified 
mission  time  interval. 

Average  Delay  The  delay  that  the  user  can  expect  when  a malfunction  or  failure 
occurs.  (Also  called  Average  Nonoperational  Delay.) 

Dependability  The  probability  of  completing  a specified  number  of  functional 
cycles  during  a specified  interval  of  time  of  an  assembly  (or 
element)  without  experiencing  a malfunction  or  failure  induced 
delay. 

Element  The  basic  functional  building  block  in  the  system  functional 

hierarchy.  The  MTBF  and  MTTR  data  are  input  at  this  level. 

Functional  The  performing  of  an  assembly's  function  from  start  to  finish. 

Cycle 

"ility"  dependability,  availability  and  reliability 

MTBF  Mean  Time  Between  Failures  of  malfunctions  for  an  element. 

MTTR  Mean  Time  to  Restore  an  element's  function  by  repair,  replace- 

ment or  other  means  following  occurrence  of  a malfunction  or 
failure.  MTTR  includes  the  time  needed  to  detect  malfunction  or 
failure  occurrence. 


Reliability 


Subassembly 

TASA 


Unavailability 


Unreliability 


Use  Time 


The  probability  that  a specified  assembly  successfully  performs  its 
function  during  each  of  the  specified  number  of  functional  cycles 
given  that  it  is  capable  of  performing  its  function  at  the  start  of 
each  cycle. 

A functional  assembly  becomes  a subassembly  when  it  is  used  at  a 
higher  level  of  the  functional  hierarchy. 

Tabular  System  Analysis:  An  orderly  procedure  for  developing  the 
functional  hierarchy  of  a system,  defining  the  malfunction  and 
failure  states  and  recording  the  consequences  of  malfunction  and 
failure  occurrences,  singly  and  in  combination. 

The  probability  that  a specified  assembly  will  not  be  capable  of 
performing  its  function  when  needed  because  of  the  occurrence  of 
a specified  malfunction  or  failure  state. 

The  probability  of  occurrence  of  a specified  malfunction  or  failure 
state  during  one  (or  more)  of  the  specified  number  of  functional 
cycles  of  specified  duration. 

The  interval  of  time  required  to  complete  a specified  number  of 
functional  cycles  not  counting  any  time  between  the  completion 
of  one  cycle  and  the  start  of  the  next. 
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